Hi guys,
I seem to be having an issue using password hashing, ive never used it before and think im missing something obvious but cant see for looking…
Basically, i add a user from a php form that is then written to mysql database, the user gets added fine with a nonsense looking password. But when i try and log in with that user i re hash the password as i think im supposed to but i seem to get a different hash.
example code.
Add User form posts to this php script:
if($_SERVER['REQUEST_METHOD'] == "POST") {
# generate a random salt to use for this account
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$saltedPW = $_POST['password'] . $salt;
$hashedPW = hash('sha256', $saltedPW);
$query = "INSERT INTO users (username, password, access, salt) VALUES('" . $_POST['username'] . "','" . $hashedPW . "','" . $_POST['access'] . "','" . $salt . "') ";
$result = mysql_query($query) or die(mysql_error());
if ($query) {
echo $_POST['username']." Successfully Added.";
}
}
Login form posts to this:
if($_SERVER['REQUEST_METHOD'] == "POST") {
$saltQuery = "SELECT salt FROM users WHERE username = '" . $_POST['username'] . "' ";
$result = mysql_query($saltQuery);
$row = mysql_fetch_assoc($result);
$salt = $row['salt'];
$saltedPW = $_POST['password'] . $salt;
$hashedPW = hash('sha256', $saltedPW);
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "' AND password = '". $hashedPW ."' ";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_row($result); // get the single row.
$access = $row[3]; // display the value.
if(mysql_num_rows($result) > 0) {
.........do stuff here
}
}
Any suggestions where im going wrong?